Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A method comprising: receiving user input at a processing device that selects one of a plurality of certificate profiles for requesting a certificate, wherein each of the plurality of certificate profiles defines a set of defaults of the certificate's contents and a set of constraints for values associated with the certificate's contents contained in the certificate, wherein the set of constraints comprises a renewal grace period constraint and a key type constraint that specifies one or more permissible key types for a key contained in the certificate; generating, by the processing device an enrollment page with a profile enrollment form using the set of defaults and the set of constraints associated with the selected certificate profile, wherein the enrollment page is a web-based service page and the enrollment form is a Hypertext Transport Protocol (HTTP) based enrollment form, and wherein the generating the enrollment page comprises: retrieving a template file associated with the selected certificate profile for the enrollment form; modifying the template file according to the set of constraints associated with the selected certificate profile so that a user requesting the certificate is unable to request a certificate that does not comply with the set of constraints of the selected certificate profile; and presenting, by the processing device, the enrollment page with the profile enrollment form to the user; responsive to the user selection of one of the key types presented in the enrollment form, sending a request for information about the key type to a browser of a client; receiving the requested information about the selected key type from the browser of the client; responsive to receiving the requested information about the selected key type from the browser of the client, determining whether the client supports the selected key type in view of the requested information from the browser; receiving the profile enrollment form from the user with input provided by the user; generating an enrollment request for the certificate using the profile enrollment form and the input provided by the user in connection with the profile enrollment form; and sending the enrollment request to a certificate system (CS) subsystem to authenticate, authorize and issue the certificate, wherein the enrollment request complies with the set of constraints of the selected certificate profile before sending the enrollment request to the CS subsystem.
A method for requesting certificates involves a processing device presenting a web-based enrollment form to a user. The form is generated based on a selected certificate profile which defines default values and constraints for the certificate's content (e.g., renewal grace period, allowed key types). The enrollment page is dynamically generated by retrieving a template and modifying it to enforce the profile's constraints, preventing the user from requesting a non-compliant certificate. Upon user selection of a key type, the system verifies if the client's browser supports it. The completed enrollment form is used to create an enrollment request which is sent to a certificate system (CS) subsystem for authentication, authorization, and certificate issuance, ensuring compliance with the profile's constraints.
2. The method of claim 1 , wherein the set of constraints further comprises an extension constraint, an usage extension constraint, a key constraint, a key usage extension constraint, a signing algorithm constraint, a subject name constraint, a unique subject name constraint, and a validity constraint.
In the certificate request method described in claim 1, the set of constraints defined by the certificate profile can also include constraints on certificate extensions (general and usage), keys (general and usage), signing algorithms, subject names (including unique subject names), and validity periods. These constraints, in addition to the renewal grace period and key type constraint mentioned in claim 1, are used to customize the enrollment form and validate the user's input, further ensuring that the generated certificate request adheres to the specific requirements of the selected certificate profile.
3. The method of claim 1 , wherein the set of constraints further comprises a key-type constraint that specifies one or more permissible key types for a key contained in the certificate, and wherein the generating the enrollment page comprises generating the profile enrollment form to include an input mechanism to allow the user to only select one of the permissible key types allowed by the selected certificate profile so that the user is unable to select a key type that is not one of the permissible key types allowed by the selected certificate profile.
Building on the certificate request method in claim 1, the certificate profile includes a key-type constraint that specifies the permissible key types. The enrollment page's form generation includes an input mechanism (e.g., a dropdown) that restricts the user to only selecting from these allowed key types. This ensures that the user cannot request a certificate with a key type that is not permitted by the chosen certificate profile, preventing invalid certificate requests from being submitted.
4. The method of claim 3 , further comprising receiving user input that selects one of the one or more permissible key types for the key, and wherein the generating the enrollment page comprises updating the profile enrollment form with input associated with the selected key type.
Expanding on the key type selection in the certificate request method of claim 3, user input selects one of the permissible key types. The enrollment page generation process updates the profile enrollment form to include information associated with the selected key type. This could involve populating additional fields or modifying form behavior based on the chosen key type, tailoring the enrollment process to the specific requirements of the selected key.
5. The method of claim 3 , further comprising: determining whether a second processing device of the user requesting the certificate supports an Elliptic curve cryptography (ECC) key type; presenting the ECC key type in the one or more permissible key types when the second processing device supports the ECC key type; and excluding the presenting of the ECC key type in the one or more permissible key types when the second processing device does not support the ECC key type.
Further refining the key type selection in the certificate request method described in claim 3, the system determines if the user's device supports Elliptic Curve Cryptography (ECC). The enrollment form presents ECC as a permissible key type option only if the device supports it. Otherwise, ECC is excluded from the list of available key types, preventing the user from selecting an unsupported key type and simplifying the process.
6. The method of claim 1 , wherein the set of constraints further comprises a key-size constraint that specifies one or more permissible key-sizes for a key contained in the certificate, and wherein the generating the enrollment page comprises generating the profile enrollment form to include an input mechanism to allow the user to only select one of the permissible key-sizes allowed by the selected certificate profile so that the user is unable to select a key size that is not one of the permissible key sizes allowed by the selected certificate profile.
Building on the certificate request method in claim 1, the certificate profile includes a key-size constraint specifying allowed key sizes. The enrollment form generation includes an input mechanism that restricts the user to selecting only the permissible key sizes defined by the profile. This could be achieved through a dropdown with allowed sizes, or input validation to prevent out-of-range values. This constraint prevents requests for certificates with key sizes outside the acceptable range.
7. The method of claim 1 , wherein the set of constraints further comprises a key-size constraint that specifies a minimum allowable key length and a maximum allowable key length for a key contained in the certificate, and wherein the generating the enrollment page comprises generating the profile enrollment form to include an input mechanism to allow the user to only input a key length that is between the minimum and maximum key lengths so that the user is unable to input a key size that is not one of the permissible key sizes allowed by the selected certificate profile.
Refining the key-size constraint in the certificate request method of claim 1, the certificate profile specifies minimum and maximum allowable key lengths. The enrollment form includes an input mechanism that validates the user's input, only allowing key lengths between the specified minimum and maximum values. This ensures that the user cannot enter a key length outside the permissible range, preventing the submission of invalid certificate requests.
8. The method of claim 1 , wherein the set of constraints further comprises a signing algorithm constraint that specifies one or more permissible signing algorithms for signing the certificate, and wherein the generating the enrollment page comprises generating the profile enrollment form to include an input mechanism to allow the user to only select one of the permissible signing algorithms so that the user is unable to select a signing algorithm type that is not one of the permissible signing algorithms allowed by the selected certificate profile.
Expanding on the certificate request method of claim 1, the certificate profile includes a signing algorithm constraint that specifies allowed signing algorithms. The enrollment form generation includes an input mechanism that restricts the user's choice to only the permitted signing algorithms. This prevents the user from selecting an algorithm that is not allowed by the certificate profile, ensuring compliance and preventing errors during certificate creation.
9. The method of claim 1 , wherein each of the plurality of certificate profiles defines a set of one or more inputs associated with the certificate profile, and wherein the generating the enrollment page comprises generating the profile enrollment form to include an input field for each of the set of inputs associated with the selected certificate profile.
In the certificate request method of claim 1, each certificate profile also defines a set of required inputs. The enrollment page generation includes an input field in the form for each of these required inputs. This ensures that the user provides all necessary information associated with the selected certificate profile before submitting the request.
10. The method of claim 9 , wherein the receiving the profile enrolment form comprises receiving the profile enrollment form from the user as a Hypertext Transport Protocol (HTTP) form over a network connection at the processing device, wherein the HTTP form comprises information in the input field for each of the set of inputs associated with the selected certificate profile and fields for each of the set of defaults, and wherein the generating the enrollment form comprises generating the enrollment request for the certificate from the information in the HTTP form.
Building on the certificate request method of claim 9, the profile enrollment form is received over a network connection as an HTTP form. This form contains the user-provided information for the input fields and the default values from the selected profile. The enrollment request is then generated from this HTTP form data, combining user inputs with the predefined defaults to create a complete certificate request.
11. The method of claim 1 , wherein the selected certificate profile is a renewal request profile, and wherein the generating the enrollment page comprise generating a profile renewal form using the set of defaults and the set of constraints associated with the selected renewal request profile.
In the certificate request method of claim 1, the selected certificate profile can be a renewal request profile. This means the enrollment page generates a profile renewal form using the set of defaults and constraints specific to renewal requests. This allows for a streamlined renewal process with pre-populated values and tailored constraints applicable to certificate renewals.
12. The method of claim 1 , wherein the web-based service page uses Hypertext Markup Language (HTML) and JavaScript to generate the enrollment page.
In the certificate request method of claim 1, the web-based service page uses HTML and JavaScript to generate the enrollment page. This allows for dynamic form generation, client-side validation, and a rich user experience, improving the usability and efficiency of the certificate request process.
13. The method of claim 1 , further comprising receiving input from an administrator to modify or create at least one of the plurality of certificate profiles.
The certificate request method of claim 1 can include an administrator interface. This interface allows an administrator to modify existing certificate profiles or create new ones. This enables customization of certificate request processes and ensures that the system can adapt to changing requirements or policies.
14. A method comprising: receiving user input at a first processing device that selects one of a plurality of certificate profiles for requesting a certificate, wherein each of the plurality of certificate profiles defines a set of defaults of the certificate's contents and a set of constraints for values associated with the certificate's contents contained in the certificate, wherein the set of constraints comprises a key-type constraint that specifies one or more permissible key types for a key contained in the certificate and a renewal grace period constraint; determining, by the first processing device, whether a second processing device of the user requesting the certificate supports the one or more permissible key types; generating, by the first processing device, an enrollment page with a profile enrollment form using the set of defaults and the set of constraints associated with the selected certificate profile, wherein the generating the enrollment page comprises generating the profile enrollment form to include an input mechanism that only displays the key types that are supported by the second processing device so that a user requesting the certificate is unable to request a key type that is not supported by the second processing device; presenting, by the first processing device, the enrollment page with the profile enrollment form to the user; responsive to the user selection of one of the key types presented in the enrollment form, sending a request for information about the key type to a browser of a client; receiving the requested information about the selected key type from the browser of the client; responsive to receiving the requested information about the selected key type from the browser of the client, determining whether the client supports the selected key type in view of the requested information from the browser; receiving the profile enrollment form from the user with input provided by the user; generating an enrollment request for the certificate using the profile enrollment form and the input provided by the user in connection with the profile enrollment form; and sending the enrollment request to a certificate system (CS) subsystem to authenticate, authorize and issue the certificate, wherein the enrollment request complies with the set of constraints of the selected certificate profile before sending the enrollment request to the CS subsystem, and wherein the enrollment request specifies a selection of one of the key types that are supported by the second processing device before sending the enrollment request to the CS subsystem.
A method for requesting certificates involves a first processing device presenting an enrollment form to a user. The form is generated based on a selected certificate profile defining defaults and constraints for the certificate (e.g., renewal grace period, allowed key types). Critically, the system determines if the user's second processing device (client) supports the permissible key types. The enrollment form only displays key types supported by the client device, preventing selection of unsupported types. Upon key type selection, browser information is checked for support. An enrollment request is generated from the completed form and sent to the certificate system (CS) for processing, ensuring compliance and selecting a supported key type.
15. The method of claim 14 , wherein the determining whether the second processing device supports the one or more permissible key types comprises: determining whether the second processing device of the user requesting the certificate supports an Elliptic curve cryptography (ECC) key type; presenting the ECC key type in the one or more permissible key types when the second processing device supports the ECC key type; and excluding the presenting of the ECC key type in the one or more permissible key types when the second processing device does not support the ECC key type.
Further detailing the determination of key type support in the certificate request method of claim 14, the system specifically checks for Elliptic Curve Cryptography (ECC) support on the user's second processing device. If ECC is supported, it is presented as a permissible key type. If not, ECC is excluded. This ensures that the user can only select key types that are compatible with their device, simplifying the enrollment process.
16. A certificate system, comprising: a data storage device to store records of a plurality of certificate profiles, wherein each of the plurality of certificate profiles defines a set of defaults of a certificate's contents and a set of constraints for values associated with the certificate's contents contained in the certificate, wherein the set of constraints comprises a renewal grace period constraint and a key type constraint that specifies one or more permissible key types for a key contained in the certificate; and a certificate manager, coupled to the data storage device, to receive user input that selects one of the plurality of certificate profiles for requesting a certificate, to generate an enrollment page with a profile enrollment form using the set of defaults and the set of constraints associated with the selected certificate profile, and to present the enrollment page with the profile enrollment form to a user at a client, wherein the enrollment page is a web-based service page and the enrollment form is a Hypertext Transport Protocol (HTTP) based enrollment form, and wherein the certificate manager is to generate the enrollment page by: retrieving a template file associated with the selected certificate profile for the enrollment form; modifying the template file according to the set of constraints associated with the selected certificate profile so that a user requesting the certificate is unable to request a certificate that does not comply with the set of constraints of the selected certificate profile, and wherein the certificate manager is further to: receive the profile enrollment form from the user with input provided by the user; generate an enrollment request for the certificate using the profile enrollment form and the input provided by the user in connection with the profile enrollment form; send the enrollment request to a certificate system (CS) subsystem to authenticate, authorize and issue the certificate, wherein the enrollment request complies with the set of constraints of the selected certificate profile before sending the enrollment request to the CS subsystem; and wherein the key type constraint is checked at the client by: responsive to a user selection of one of the key types presented in the enrollment form, sending a request for information about the key type to a browser of the client; receiving the requested information about the selected key type from the browser of the client; and responsive to receiving the requested information about the selected key type from the browser of the client, determining whether the client supports the selected key type in view of the requested information from the browser.
A certificate system comprises a data storage device storing certificate profiles, each defining default values and constraints (e.g., renewal grace period, allowed key types). A certificate manager, connected to the storage, receives user input to select a profile. It generates a web-based enrollment form based on the profile's defaults and constraints, modifying a template to enforce rules. The user completes the form, and the manager generates an enrollment request which is sent to a certificate system (CS) subsystem for authentication, authorization, and issuance, ensuring compliance. Key type constraint checking is performed at the client by requesting browser information to verify support before submission.
17. The certificate system of claim 16 , wherein the certificate manager comprises: a dynamic user interface engine to receive the user input that selects the selected certificate profile, to present a dynamically-generated enrollment page; and the CS subsystem coupled to receive the enrollment request from the dynamic user interface engine and to authenticate, authorize, and issue the certificate.
The certificate system from claim 16 utilizes a dynamic user interface engine that receives the user's profile selection and presents a dynamically generated enrollment page. A Certificate System (CS) subsystem receives the completed enrollment request from the dynamic user interface engine and handles authentication, authorization, and certificate issuance.
18. The certificate system of claim 17 , wherein the dynamic user interface engine comprises: a web server to receive the user input that selects one of the plurality of certificate profiles; a form generator coupled to receive the user input from the web server, to access the data storage device to find the record of the selected certificate profile, and to generate the enrollment form using the set of one or more defaults and the set of constraints in the record; and a page generator coupled to receive the enrollment form from the form generator and to generate the enrollment page, wherein the web server is to present the enrollment page to the user after the enrollment page is generated by the page generator.
In the certificate system from claim 17, the dynamic user interface engine includes a web server for receiving user input. A form generator retrieves the selected certificate profile from data storage and generates the enrollment form using profile defaults and constraints. A page generator creates the enrollment page from the generated form, and the web server presents this page to the user.
19. The certificate system of claim 17 , wherein the set of constraints further comprises a key-type constraint that specifies one or more permissible key types for a key contained in the certificate, and wherein the dynamic user interface engine is to generate the profile enrollment form to include an input mechanism to allow the user to only select one of the permissible key types so that the user is unable to select a key type that is not one of the permissible key types allowed by the selected certificate profile.
Building on the certificate system of claim 17, the dynamic user interface engine generates the enrollment form to include an input mechanism (e.g., a dropdown) that restricts the user to only selecting from the permissible key types defined in the certificate profile. This ensures that the user cannot request a certificate with a key type that is not permitted by the profile.
20. The certificate system of claim 17 , wherein the set of constraints further comprises a key-size constraint that specifies one or more permissible key-sizes for a key contained in the certificate, and wherein the dynamic user interface engine is to generate the profile enrollment form to include an input mechanism to allow the user to only select one of the permissible key-sizes so that the user is unable to select a key size that is not one of the permissible key sizes allowed by the selected certificate profile.
Building on the certificate system of claim 17, the dynamic user interface engine generates the enrollment form to include an input mechanism that restricts the user to only selecting from the permissible key sizes defined in the certificate profile. This prevents users from selecting invalid key sizes.
21. The certificate system of claim 16 , wherein the certificate manager comprises a profile generator to receive input from an administrator to modify or create at least one of the plurality of certificate profiles.
The certificate system described in claim 16 includes a profile generator. This component allows an administrator to modify existing certificate profiles or create entirely new profiles, enabling customization of the certificate issuance process and adaptation to evolving security requirements.
22. A non-transitory machine-readable storage medium having instructions, which when executed, cause a processing device to execute operations comprising: receiving user input that selects one of a plurality of certificate profiles for requesting a certificate, wherein each of the plurality of certificate profiles defines a set of one or more defaults of the certificate's contents and a set of constraints for values associated with the certificate's contents contained in the certificate, wherein the set of constraints comprises a renewal grace period constraint and a key type constraint that specifies one or more permissible key types for a key contained in the certificate; generating, by the processing device, an enrollment page with a profile enrollment form using the set of defaults and the set of constraints associated with the selected certificate profile, wherein the enrollment page is a web-based service page and the enrollment form is a Hypertext Transport Protocol (HTTP) based enrollment form, and wherein the generating the enrollment page comprises: retrieving a template file associated with the selected certificate profile for the enrollment form; modifying the template file according to the set of constraints associated with the selected certificate profile so that a user requesting the certificate is unable to request a certificate that does not comply with the set of constraints of the selected certificate profile; and presenting, by the processing device, the enrollment page with the profile enrollment form to the user at a client; receiving the profile enrollment form from the user with input provided by the user; generating an enrollment request for the certificate using the profile enrollment form and the input provided by the user in connection with the profile enrollment form; sending the enrollment request to a certificate system (CS) subsystem to authenticate, authorize and issue the certificate, wherein the enrollment request complies with the set of constraints of the selected certificate profile before sending the enrollment request to the CS subsystem; and wherein the key type constraint is checked at the client by: responsive to a user selection of one of the key types presented in the enrollment form, sending a request for information about the key type to a browser of the client; receiving the requested information about the selected key type from the browser of the client; and responsive to receiving the requested information about the selected key type from the browser of the client, determining whether the client supports the selected key type in view of the requested information from the browser.
A non-transitory computer-readable medium stores instructions that cause a processing device to: receive user input selecting a certificate profile, where each profile defines defaults and constraints (e.g., renewal grace, allowed key types). It generates a web-based enrollment page with a form based on these settings, enforcing constraints to prevent non-compliant requests. The page is presented to the user. Upon submission, an enrollment request is generated and sent to a certificate system (CS) for processing, ensuring compliance. Client-side checks verify the selected key type's support by querying the user's browser.
23. The machine-readable storage medium of claim 22 , wherein the set of constraints further comprises a key-type constraint that specifies one or more permissible key types for a key contained in the certificate, and wherein the generating the enrollment page comprises generating the profile enrollment form to include an input mechanism to allow the user to only select one of the permissible key types so that the user is unable to select a key type that is not one of the permissible key types allowed by the selected certificate profile.
Building on the computer-readable medium of claim 22, the set of constraints includes a key-type constraint that specifies the permissible key types. The instructions cause the form generation to include an input mechanism that restricts the user's key type selection to only those allowed by the chosen profile, preventing invalid selections.
24. The machine-readable storage medium of claim 22 , wherein the set of constraints further comprises a key-size constraint that specifies one or more permissible key-sizes for a key contained in the certificate, and wherein the generating the enrollment page comprises generating the profile enrollment form to include an input mechanism to allow the user to only select one of the permissible key-sizes so that the user is unable to select a key size that is not one of the permissible key sizes allowed by the selected certificate profile.
Building on the computer-readable medium of claim 22, the set of constraints includes a key-size constraint that specifies permissible key sizes. The instructions cause the form generation to include an input mechanism that restricts the user's key size selection to only those allowed by the chosen profile, preventing invalid selections.
25. The machine-readable storage medium of claim 22 , wherein each of the plurality of certificate profiles defines a set of one or more inputs associated with the certificate profile, and wherein the generating the enrollment page comprises generating the profile enrollment form to include an input field for each of the set of inputs associated with the selected certificate profile.
Building on the computer-readable medium of claim 22, each profile defines a set of required inputs. The instructions cause the form generation to include an input field for each of these required inputs, ensuring that the user provides all necessary information for the selected profile.
Unknown
August 12, 2014
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.